Ssl expiry sensor in docker

joff · December 13, 2018, 11:04am

After changing to a docker installation on rpi3, I am struggling to get the ssl expiry sensor working:

My configuration:

# Sensor to read number of days left on TLS/SSL certificate
  - platform: command_line
    name: SSL cert expiry
    unit_of_measurement: days
    scan_interval: 10800
    command: "ssl-cert-check -b -c /etc/letsencrypt/live/lbbakery.dk/cert.pem | awk '{ print $NF }'"

Which was done following the official docs:

I have searched the forums and can appreciate it is an issue about exposing the script to docker, but cannot find a definitive answer/example.
Has anyone got this working?
Thanks.

thmry · December 13, 2018, 3:14pm

Is the path you mentioned the path on your host (so the Raspberry Pi) and not the Docker container? With path I mean this:

/etc/letsencrypt/live/lbbakery.dk/cert.pem

If so, you might want to mount that directory, so that you can access it in the Docker container itself.

If you use a docker run command like the one mentioned here. You could add the following parameter to that command:

-v /etc/letsencrypt/live/lbbakery.dk:/path-in-container

And than change your sensor command to:

command: "ssl-cert-check -b -c /path-in-container/cert.pem | awk '{ print $NF }'"

Now, in both the parameter and the command above I used ‘path-in-container’, but simply change that to something you want. In the docker run command I linked to, the Home Assistant config is placed in the /config directory in the container itself. So, for something like this I would suggest something like /certs.

Hope this helps.

joff · December 13, 2018, 3:48pm

Thanks for the reply.
I tried both the following in my docker run command:

-v /etc/letsencrypt/live/lbbakery.dk:/config/certs

-v /etc/letsencrypt/live/lbbakery.dk:/certs

and the following in my configuration.yaml:

command: "ssl-cert-check -b -c /config/certs/cert.pem | awk '{ print $NF }'"


command: "ssl-cert-check -b -c /certs/cert.pem | awk '{ print $NF }'"

…but no joy. It’s strange, as there are no errors in the log.

gpbenton · December 13, 2018, 4:00pm

ssl-cert-check is not included in the HA docker image

$ docker exec -it homeassistant  bash
I have no name!@7e5700cee030:/usr/src/app$ which ssl-cert-check
I have no name!@7e5700cee030:/usr/src/app$ ssl-cert-check
bash: ssl-cert-check: command not found

joff · December 13, 2018, 4:03pm

Hmm, well that explains it
Anyone know of a work around?
At the moment, I am experiencing that the benefits of running ha in docker are less than the limitations it gives (although I will freely admit that I am still very much at a basic level when working with docker).

gpbenton · December 13, 2018, 4:09pm

You have three options that I know of

Build your own image from the HA image and add the packages you need. But you need to build your image for every HA update
Install the packages in the container manually. But you have to do this for every container you create
Use ssh to log in to your host and run the command there. But this rather breaks the limited access container philosophy of docker.

The dilemma is, as I see it, that the point of docker is to isolate your program from its environment, whereas the point of HA is to control your environment. I’d like to use HA with docker (I have plenty of other containers running), there are just too many problems like this for me to make the leap.

joff · December 13, 2018, 5:37pm

Thanks for your input.
Number 3 kind of brings me back to where I am. I have ssl-cert-check installed on my host and want to get the output into the ha instance.

juan11perez · December 13, 2018, 8:17pm

What i did was use stat on the certificate with a template sensor that basically subtracts stat output - 90 days

joff · December 13, 2018, 8:36pm

Ok. Nice.
Any chance you could post some details (otherwise I’ll have some serious brushing up to do on my bash knowledge )

ha_steve · December 13, 2018, 9:25pm

Can’t you just point it to the URL:

sensor:
  - platform: cert_expiry
    host: hass.myserver.com
    name: Server Cert Expires

This is what I have set up.

juan11perez · December 13, 2018, 10:00pm

sure, use this custom component to get the certificate created date:

this is the required command:

stat -c ‘%y’ /path/to/your/cert.pem | awk ‘FNR==1 {print $1}’

then take the output and use this template:

- platform: template
  sensors:
    ssl_cert_expiry:
      friendly_name: "SSL Cert Expiry"
      value_template: '{{ 90 - (( as_timestamp(now()) - as_timestamp(strptime(states.sensor.ssl_cert_issued.state, "%Y-%m-%d")) )/ (3600*24)) | round(0) }}'
      unit_of_measurement: DAYS
      entity_id: sensor.time,sensor.ssl_cert_issued

juan11perez · December 13, 2018, 10:02pm

yes, that works. only drawback is it updates every 12 hours I think and if you restart HA then you have to wait till update to auto-populate.

ha_steve · December 13, 2018, 10:15pm

That’s not the behavior I see… do you have this sensor not included in recorder?

juan11perez · December 13, 2018, 10:51pm

I can’t recall if I did when I tried it. If it works great. Much easier than all else.

finity · December 13, 2018, 11:39pm

I’m running in Docker and I just use the “Certificate Expiry” sensor:

Here is my working config:

- platform: cert_expiry
  host: mydomain.duckdns.org
  name: My Domain Cert Expiry

DavidFW1960 · December 14, 2018, 12:31am

I use that for hass.io as well. Works perfectly.

nikolas22t · February 28, 2020, 11:21pm

Download https://github.com/Matty9191/ssl-cert-check/blob/5d23004b69684b030c3fd579b888851520dfc85d/ssl-cert-check to your ha folder same folder with configuration.yaml and ssl certificates
connect to the console of your docker (you will need portainer to do this) and issue the command
chmod +x ssl-cert-check

change your config to:

sensor:
  - platform: command_line
    name: SSL cert expiry
    unit_of_measurement: days
    scan_interval: 43200
    command: "./ssl-cert-check -b -c fullchain.pem | awk '{ print $NF }'"